On July 11, the Department of Health and Human Services (HHS) announced that WellPoint, a managed care company, paid HHS $1.7 million to settle potential violations of the HIPAA Privacy and Security Rules. 

Like other recent enforcement actions, HHS initiated its investigation into WellPoint after the company provided notification of a breach of unsecured protected health information (PHI).  WellPoint’s breach report, submitted in June 2010, indicated that security weaknesses in an online application database had left the electronic PHI of approximately 612,402 individuals accessible to unauthorized individuals online. 

HHS’s investigation indicated that:

  • From October 2009 to March 2010, WellPoint did not adequately implement policies and procedures for authorizing access to electronic PHI in the online application consistent with the HIPAA Security Rule;
  • WellPoint did not perform a sufficient technical evaluation following a software upgrade related to authentication safeguards for the online application;
  • For the same five-month period, WellPoint did not implement technology to verify that persons or entities seeking access to the application were who they claimed to be; and
  • For that same period, WellPoint impermissibly disclosed the electronic PHI (including names, dates of birth, Social Security numbers, and health information) of approximately 612,402 individuals whose information was maintained in the application.

WellPoint’s resolution agreement with HHS required the company to pay, by July 11, $1.7 million to HHS to settle the matter. Unlike other recent settlements, however, HHS did not require WellPoint to implement a corrective action plan.

In the press release, HHS stated that this case “sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to” web-based applications used to provide online access to consumers’ health data. HHS also included a reminder that, beginning September 23, 2013, liability for many HIPAA provisions will extend to business associates (including contractors and subcontractors).